“Instructure “ reached an agreement ” with an unauthorized threat actor on Monday, just days after cybercriminals twice — within a little over a week — infiltrated the ed tech provider’s Canvas learning management system. The latest cybersecurity incident on Thursday caused sweeping disruptions to schools and colleges nationwide after the cyber gang ShinyHunters posted a message that was seen by some users on their Canvas platforms. The post said that schools could negotiate a settlement with ShinyHunters by Tuesday — the same deadline given to Instructure. Cybersecurity experts suggest Instructure’s agreement appears to be a ransomware payment, a practice the FBI strongly discourages . Instructure said that as a part of its agreement with an unnamed threat actor, the stolen data was returned to the ed tech company, and it had received digital confirmation of data destruction in the form of “shred logs.” The threat actor said no Instructure customers will be extorted from this incident, Instructure said, and no individuals impacted by the breach will need to engage with them. “While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible,” Instructure said in a Monday statement on its website. No ‘guarantee’ data will be deleted ShinyHunters has been confirmed as the group behind the Canvas cyberattack, as the group posted about the initial incident to its leak site on May 3, said Rebecca Moody, head of data research at Comparitech, a cybersecurity and online privacy product review website, in a Tuesday statement. In its May 3 post, ShinyHunters claimed to have stolen 3.65 TB of data from about 275 million users across 9,000 schools worldwide, according to Moody. Instructure has not confirmed how many schools or users were impacted by the recent data breaches. “This post and the individual school-by-school threats ShinyHunters has sent likely put pressure on Instructure to meet the ransom demands to try and prevent data from being leaked,” Moody said. “However, let's not forget that ShinyHunters are cybercriminals. Even by paying this ransom demand, Instructure cannot guarantee the data will be deleted.” Several class action lawsuits have already been filed against Instructure in federal district courts over the data breach. Instructure confirmed last week that hackers gained unauthorized access to its systems through its Free for Teachers platform on April 29 and May 7. The exposed data included usernames, email addresses, course names, enrollment information and messages, Instructure said. The company added that “core learning data (course content, submissions, credentials) was not compromised,” and Canvas is now fully operational and safe to use. Michael Klein, senior director for preparedness and response at the Institute for Security and Technology, said that while he agrees with the FBI in most cases that organizations should not pay ransoms to cybercriminals after a data breach, sometimes there are situations in which the compromised data could cause physical harm — such as a ransomware attack on a hospital. In that situation, paying a ransom might be necessary, he said. With the Instructure incident, however, Klein said he doesn’t think the reported data that was compromised falls under such a scenario that would necessitate a payment. “Also, you can't trust that a cybercriminal group is going to keep their word and not then go and extort all of the people downstream of that anyway,” Klein said. The need for federal, state supports When PowerSchool got hacked in December 2024, Klein was working at the U.S. Department of Education as the senior advisor for cybersecurity. At the time, he was able to convene 41 states and Guam within a few days to share information on the incident including how to understand the challenges, communicate with the company, and mitigate the impact for schools. Fast forward to the latest cyberattack on Instructure, and that federal authority and structure no longer exists, Klein said. In his own capacity at the Institute for Security and Technology, Klein said he was only able to convene 22 states on Friday to hold a similar conversation about Instructure after the “widespread” and “understandable freakout” from Thursday’s incident that caused disruptions for many school and college systems. When the Education Department convened states a year and a half ago during the PowerSchool incident, that protected gathering was made possible through the Critical Infrastructure Partnership Advisory Council, Klein said. A little over a year ago, however, the U.S. Department of Homeland Security ended that council’s authority, he said. A DHS secretary could restore that authority without Congress, Klein said, and then the federal government could immediately assemble similar convenings again. Klein added that restoring funding for the federal Multi-State Information Sharing Analysis Center, or MS-ISAC, could give school districts and state education agencies no-cost access to as much cybersecurity threat information as possible. “This incident, as well as the PowerSchool incident, demonstrates the importance of support from the federal and state level in order to build capacity for institutions that cannot do this work themselves,” Klein said. Meanwhile, on Tuesday, the Software & Information Industry Association sent letters to lawmakers in both chambers of Congress calling for a $36 million investment in the FY 2027 budget to ensure schools have access to digital security services. SIIA called for $20 million to fund MS-ISAC and $10 million for the Readiness and Emergency Management for Schools Technical Assistance Center to reestablish a central hub for school-specific cyber-incident management. The group also urged that another $6 million is needed to support the Education Department in its role as the leading agency for coordinating educational cybersecurity. “Following the 2025 federal funding shifts that resulted in the ‘offboarding’ of school districts from essential threat monitoring services and the shuttering of key technical assistance centers, America’s K-12 education sector is currently at its most vulnerable state in a decade,” said SIIA’s letter to leaders on the Senate Appropriations Subcommittee on Labor, Health and Human Services, Education, and Related Agencies.
Original story
Continue reading at K-12 Dive Technology
www.k12dive.com
Summary generated from the RSS feed of K-12 Dive Technology. All article rights belong to the original publisher. Click through to read the full piece on www.k12dive.com.